Safety & Cyber-Security Analysis based on Systems-Theory Carmen Frischknecht-Gruber, Christoph W. Senn, Sven S. Krauss, Monika U. Reif ZHAW Zurich University of Applied Sciences, Switzerland
Agenda 1. Motivation 2. Related Work 3. Research Objectives 4. Case study: U-space 5. Conclusion and Outlook 2
Evolving Technology http://www.spiegel.de/panorama/bild-889031-473242.html 2005 2013 3
Why Safety and Security Analysis? https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ https://www.telemedicineclinic.com/blog/wannacry-ransomware-hits-nhs-fails-interrupt-tmcservice/ 4
The Need of a Safe and Secure U-space https://www.ibtimes.co.uk/dark-side-drone-police-reveal-uavs-being-used-theft-smuggling-spying-children-1523662#slideshow/1463177 5
The Need of a Safe and Secure U-space https://www.berliner-kurier.de/berlin/polizei-und-justiz/tourist-verletzt-kamera-drohne-stuerzt-auf-alex-22493330 6
Related Work 7
Related Work Related Work Few studies available regarding safety, security and privacy of drones J. Chen, S. Zhang, Y. Lu and P. Tang, 2015 Schmittner C., Ma Z., Puschner P., 2016 Plioutsias, A., Karanikas, N. and Chatzimihailidou, 2017 Limitations Focus is on reliability, safety and security of the drone as a system itself Integration into unmanned air traffic management system not considered yet J. Chen, S. Zhang, Y. Lu and P. Tang, (2015), "STPAbased hazard analysis of a complex UAV system in take-off," 2015 International Conference on Transportation Information and Safety (ICTIS), Wuhan, pp. 774-779. doi: 10.1109/ICTIS.2015.7232133 Schmittner C., Ma Z., Puschner P. (2016), Limitation and Improvement of STPA-Sec for Safety and Security Co-analysis. In: Skavhaug A., Guiochet J., Schoitsch E., Bitsch F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2016. Lecture Notes in Computer Science, vol 9923. Springer, Cham doi: 10.1007/978-3-319-45480-1_16 Plioutsias, A., Karanikas, N. and Chatzimihailidou, M. M. (2018), "Hazard Analysis and Safety Requirements for Small Drone Operations: To What Extent Do Popular Drones Embed Safety?. Risk Analysis, 38: 562-584. doi:10.1111/risa.12867 8
Research Objective 9
Research Objective Research Questions Safety and security analysis of the complete socio-technical system Consequences for UAS requirements and design Hypothesis Potential conflicts safety vs. security Research Method Case Study with public available material Perform STPA analysis Perform STPA-Sec analysis Summarizing the results https://auterion.com/product/ 10
U-space Case Study 11
U-space Overview Stakeholders EASA European Aviation Safety Agency SESAR Single European Sky ATM Research BAZL Bundesamt für zivile Luftfahrt * Skyguide * FOCA Federal Office for Civil Aviation SESAR, U-spaceBlueprint, SESAR Joint Undertaking, 2017 https://www.sesarju.eu/sites/default/files/documents/reports/uspace%20blueprint%20brochure%20final.pdf 12
U-space Overview Mission Ensure safety of all airspace users in operation Provide a scalable, flexible and adaptable system Manage the interface with manned aviation Enable high-density operations with multiple automated drones Follow a risk-based and performance-driven approach Set up appropriate requirements for safety, security SESAR, U-spaceBlueprint, SESAR Joint Undertaking, 2017 https://www.sesarju.eu/sites/default/files/documents/reports/uspace%20blueprint%20brochure%20final.pdf 13
U-space Overview Roadmap Milestone 1 2019 primarily online registration and identification as well as geofencing Milestone 2 2021 implement flight planning and airspace approval, live tracking and dynamic situational awareness SESAR, U-spaceBlueprint, SESAR Joint Undertaking, 2017 https://www.sesarju.eu/sites/default/files/documents/reports/uspace%20blueprint%20brochure%20final.pdf 14
U-space Overview Roadmap Milestone 3 2023 more complex operations are possible and also more automation is available increase of flights outside the visual range Milestone 4 2025 Fully automated, networked and digital infrastructure throughout the European Aviation Area SESAR, U-spaceBlueprint, SESAR Joint Undertaking, 2017 https://www.sesarju.eu/sites/default/files/documents/reports/uspace%20blueprint%20brochure%20final.pdf 15
U-space Overview - Switzerland Swiss U-space demonstrator run-through by skyguide Zurich University of Applied Sciences https://www.skyguide.ch/de/events-medien/u-space-live-demonstration/ Krauss Sven Stefan, 6th European STAMP Workshop 2018 16
Analysis & Results 17
STPA and STPA-Sec Analysis UAS Operation Management Air Traffic Control Flight Ban Map Obstacle Map Wheather Info Telemetry Data Real Time Map UAS Positions MAS Positions UAS Management System Airspace Information License Check UAS UAS Operator UAS Operator Operator UAV UAV UAS 18
Hazards, Losses, Safety Constraints Loss Hazard Safety Constraint Collision with UAS UAS operator is unresponsive UAS shall have a selfsupporting collision avoidance system Loss of cargo UAS opens cargo bay unintentionally UAS cargo bay shall have a fail-safe locking mechanism 19
Hazards, Losses, Safety Constraints Loss Hazard Safety Constraint Collision with UAS UAS operator is unresponsive UAS shall have a selfsupporting collision avoidance system Loss of cargo UAS opens cargo bay unintentionally UAS cargo bay shall have a fail-safe locking mechanism Loss of UAS UAS is operated by unauthorized person UAS shall only be flown by authorized person(s) 20
4. Analysis of U-space 21
Example: Flight modification STEP 1 Flight modification Not provided when expected UAS Operator does not initialize flight modification when requested UAS does not free space in emergency situation UAS shall have a safe self-supporting avoidance and landing system Airspace shall be freed within time constraint Intentionally hazardous flying behaviour UAS does (intentionally) not free airspace when requested UAS does not free space in emergency situation UAS shall have a safe self-supporting avoidance and landing function Airspace shall be freed within time constraint Collision with MAV Collision with UAS UAS is operated by unauthorized person An external emergency control system shall be provided (!) 22
Example: Flight modification STEP 2 UAS Operator Flight modification Real time position, UAS state UAS controller GPS Sensor System UAS Speed Altitude... Low-level control action UAS in Operation Sensor readouts UAS Operator does not initialize flight modification when requested UAS does (intentionally) not free airspace when requested 23
Example: Flight modification UAS Operator does not initialize flight modification when requested If external input is incorrect, then If the process model is incorrect, then If CA is not given or erroneous, then Scenario UAS does not adjust trajectory when UTM requested it UAS adjusts trajectory incorrectly when UTM requested it UAS does not adjust trajectory or is adjusting it incorrectly when UTM requested it Causal Factor Information flow between UAS and UTM is interrupted Information flow between UAS and UTM is corrupted Command processing is erroneous UAS controller is maliciously modified 24
Example: Flight modification UAS Operator does not initialize flight modification when requested If actuator is delayed or not acting at all, then If process input is wrong at UAS, then If feedback is given incorrectly or not at all to sensors, if sensors operate incorrectly, then If feedback given too late, then Scenario Causal Factor 25
Preliminary Analysis Results Preliminary findings Regulations in emergency situations must be clarified Emergency and intervention mechanism are needed Prioritisation concept for UAS Data must be reliable and tested for its accuracy during operation High security standards are needed remote access to UAS? Unclear growth of U-space Scaling? 26
Conclusion & Outlook 27
Conclusion and Outlook Results STPA and STPA-Sec provide reasonable outcomes Conflicting measures can be found Outlook Analysis must be conducted in more detail Security part might be overworked, since STPA-Sec does not provide a best practice might need more assistance Same goes for STPA in general applying lessons learned to the new analysis Abstraction level Clarify uncertainties with experts Conduct expert interviews «STPA and STPA-Sec do provide a good starting point for a full analysis. It could be seen as a basis or fundamental structure for more safety and security analysis techniques» 28
Team Sicherheitskritische Systeme https://auterion.com/product/ Carmen Frischknecht-Gruber frsh@zhaw.ch Christoph Walter Senn senh@zhaw.ch For further questions, I am now at your disposal. Sven Stefan Krauss krav@zhaw.ch 29
Appendix 30
31
32
33
34
35
36
37
Zurich University of Applied Sciences Obstacle map and flight zone map by BAZL/ FOCA Krauss Sven Stefan, 6th European STAMP Workshop 2018 38
Zurich University of Applied Sciences Obstacle map and flight zone map by BAZL/ FOCA Krauss Sven Stefan, 6th European STAMP Workshop 2018 39
Zurich University of Applied Sciences Obstacle map and flight zone map by BAZL/ FOCA Krauss Sven Stefan, 6th European STAMP Workshop 2018 40